Clean the browser

How to remove Diablo6 virus and restore encrypted files

On August 9, the Racco24 virus researcher discovered a new version of the Locky virus, which is now distributed under the name Diablo6. In this article, we will tell you more about this virus, but we should start from the very beginning.

The Locky virus a year ago became the biggest threat on the Internet, thanks to a massive campaign to spread it, a complex structure, frequent updates and other factors. As a result, scammers, according to various estimates, earned from several tens to several hundreds of thousands of dollars, and safely exchanged them from BTC to the real money several months ago, using special services in the Bitcoin system, which makes it possible to hide the transaction recipient. It is worth noting that files encrypted with the Locky virus can not be decrypted even now. The spread of the virus was suspended, apparently by the scammers themselves, for unknown reasons, but no later than yesterday a new version of the virus was discovered. So far, it cannot be said whether a full return of the virus will occur, or it is just a one-off action, but so far the distribution of the Diablo6 version is very active.

The virus gets on users' computers with the help of a proven scheme - fake e-mails. Now scammers have changed their tactics, and do not try to guess at the right user at random. In their previous companies, the letters contained messages that implied that the attached file was the requested report, or a bill for services or goods. Now scammers do not try to guess, and the message reads "Files attached. Thanks." This means that the letter is likely to be opened by any user who conducts business correspondence, and expects any files. This makes the old method even simpler and more dangerous. Opening such a letter, you will see a ZIP file that contains a VBS script that initiates the download of the virus. The virus is automatically downloaded to the %Temp% folder and installed on the computer. Further all goes under the standard scheme: scanning of the computer and file encryption. Encrypted files get the extension .diablo6 and their name changes to a random combination of numbers and letters. The repurchase amount is 0.49 BTC or approximately $ 1600.

Removal instruction

Step 1. Boot into Safe mode

Start -> Msconfig.exe

On the tab Boot select Safe boot

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab

Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Open the file with Notepad and delete suspicious strings.

It has to look like this:

Step 4. Scan the system with antiviral scanner

Special Offer

Why we recommend SpyHunter antimalware

Detects most kind of virus: malicious files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects virus on the computer, you will need to purchase malware removal tool for $39,99 to delete viruses. SpyHunter has Free Trial for one remediation and removal, subject to a 48-hour waiting period.
Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

Instructions 1/2

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

If you performed all actions, described in previous paragraph - it's time to restore the files. In fact, this is not literally decryption, since the encryption manners owned by fraudsters are too complicated. Generally, to recover the data, you should ask for support on anti-malware communities or from famous virus fighters and antivirus program vendors. If you picked the by-hand data restore - read this item, which describes all the safest manners.